Need a primer on closing ports

[Jerry A]

Hi Folks,

Situation: Five networked Win XP Pro machines, fully
updated with SP2, behind a LinkSys SR41 router. When I do
a probe with any of the Internet tools, I show the HTTP
port as "invisible" but all of the other ports as "closed
but unsecured". I was under the impression that a router
and a firewall would be adequate security, so I'm
mystified by the results of the probe.

Can someone point me to a reference doc that explains the
fineries of closed versus invisible and what to do in a
practical sense to make sure my network is secure?

Thanks,
Jerry

 

[WhiteZin2000]

The difference between CLOSE and STEALTH (invisible, as you refer) are:

CLOSED means that the receiving maching acknowledged the incoming packet
with a TCP reset (RST). This indicates that there is no service bound (or
'listening') on the destination port (in your case; TCP port 80).

STEALTH means that the receiving machine did not respond to the incoming
packet or the packet was dropped by an intermediary device. This signifies
(in some cases) that there is a service listening on this port, but it has
some intelligence as to what types of incoming connections it will respond
to. In other cases, it may mean that there is a router or security boundary
between the sender and the receiving system and the intermediary device has
some intelligence regarding network responses. The packet may be dropped by
the intermediary device as well - thus there is no response and the port
appears to be 'invisible'.

A STEALTH port is considered more secure because from a hackers perspective,
it isn't always 100% clear as to why there was no response - where as a
CLOSED response means there is a target system willing to respond in some
manner (even if the reponse is a 'CLOSED').

A good security practice is to disable services unless they are needed for a
specific reason. This is why those services are disabled - to prevent
potential security holes

Cheers!

 

[Jerry A]

Thanks!
Jerry

-----Original Message-----
The difference between CLOSE and STEALTH (invisible, as you refer) are:

CLOSED means that the receiving maching acknowledged the incoming packet
with a TCP reset (RST). This indicates that there is no service bound (or
'listening') on the destination port (in your case; TCP port 80).

STEALTH means that the receiving machine did not respond to the incoming
packet or the packet was dropped by an intermediary device. This signifies
(in some cases) that there is a service listening on this port, but it has
some intelligence as to what types of incoming connections it will respond
to. In other cases, it may mean that there is a router or security boundary
between the sender and the receiving system and the intermediary device has
some intelligence regarding network responses. The packet may be dropped by
the intermediary device as well - thus there is no response and the port
appears to be 'invisible'.

A STEALTH port is considered more secure because from a hackers perspective,
it isn't always 100% clear as to why there was no response - where as a
CLOSED response means there is a target system willing to respond in some
manner (even if the reponse is a 'CLOSED').

A good security practice is to disable services unless they are needed for a
specific reason. This is why those services are disabled - to prevent
potential security holes

Cheers!




.